Blackhole Exploit Kit Renewal

An updated version of the Blackhole Exploit Kit was released a few days ago. Blackhole's authors were quick to demonstrate that the new version of this popular attack kit has been rewritten from scratch. One of the main reasons for the rewrite is the rather quick detection of malicious exploit pack modules by AV vendors. Let's explore the new aspects of Blackhole Exploit Kit 2.0.

Dynamically generated URLs that are alive only for a few seconds. Unique links are generated especially for each individual user who visits a particular resource.

Executable module is now isolated stopping AV companies from downloading it directly.

JAR and PDF files are given only for vulnerable plugin versions.

New method for determining the version of Java. "Plugindetect" no longer used for Java version detection.

All of the old exploits have now been removed from Exploit Pack such as Flash, HCP, PDF. Exploit pack now consists of 3 exploits: Java Pack (atomic + byte), PDF LibTiff, MDAC.

Lots of AV companies detect Blackhole traffic by the part of link "./main.php?varname=value". Attackers can now generate links using words from a dictionary in this new version.

Exploit Pack works only for unique users. After the second request on the same link the user will be redirected to another site or will be shown a special HTML webpage.

Dynamically generated URLs. No direct links on JAR or EXE files.

Admin panel renewal.

So we can assume that the main focus of attackers will be on Java Pack exploits.

Users who do not promptly update Adobe and Java products should be aware that attackers focus on penetrating their systems. Users of Internet Explorer 6 are exposed to risk as well.